ietf-nntp Multiple AUTHINFOs per session
Ken Murchison
ken at oceana.com
Mon Jan 6 07:03:09 PST 2003
Russ Allbery wrote:
>
> Ade Lovett <ade at lovett.com> writes:
>
> > Gee thanks. Creating a new session has a non-zero cost. So I could
> > probably DoS a server under this scheme by sending repeated requests
> > (let's be clever and bounce between two accounts, rather than sending
> > the same account information over and over to defeat the (if
> > same(username) and same(password) do buggerall).
>
> You can DoS a server a whole bunch of different ways, starting from
> opening a ton of connections and working your way up through the protocol.
> The server has to detect people who are doing things like that and cut
> them off if this is a problem. I don't think that's an argument either
> way; this applies to any NNTP command with any significant server-side
> processing cost.
>
> I don't personally see much practical use for reauthenticating as a
> different user, though.
The only valid use that I can come up with is an admin who wishes to
proxy as several users (eg, via SASL PLAIN), but this doesn't make much
sense in NNTP. Even in IMAP where this might be useful, you have to use
separate sessions.
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the ietf-nntp
mailing list